Secure UI: Phishmarked Password Field

One of the issues one has to be careful with while implementing phishmarked UI is noticeability: if the user doesn't notice the phishmarks, they are useless.

The URL displayed in the browser toolbar and the golden lock at the bottom can be seen as weak phishmarks.  The URL is stronger than the golden lock because it varies depending on the site and the page being displayed while the golden lock depends on nothing except the underlying communication protocol being used.

As to their noticeability, both are positioned away from the area the user is interested in, forcing the user to remember to glance up and down.  It's not that glancing is difficult or laborous.  It's remembering to do so that is difficult, particularly when the user is in a task-oriented mindset such as buying something or logging into their bank account.

When a user is faced a login screen like the one shown below, the user is already intent on seeing the pages protected by the password.  If a eye-tracking test is done, the results will show that most of the users will stop briefly over the bold 'login' and then move on to 'username', 'password', and the 'submit' button before moving back to the the two text fields and readying their fingers to type.

What about the browser frame and the rest of the page?  Well, they simply fade in his mind just as the face a bald man fades.  So phishmarks outside the area the user is focusing on is not as effective as those inside.

I chose to protect the password field with phishmark because, well, protecting passwords from phishing is a good idea. :-)  Beside the obvious, the password field can be littered with other graphics with less problems than other UI components because it is used to display only how many characters were typed.

Here is the version using phishmarked password field: 

The background shows a muted 2D fractal landscape that is specific to the user.  The landscape will change over time depending on frequency set by either the user or the IT department.  The phishmark will not be displayed if the password field is on a page not originating from a legitimate site.  As to exactly how this can be done, there are many ways to do it.  BTW, this is a patent-heavy minefield so be careful where you step.

The background could also be site-specific but I think a separate site-and-user specific graphics selected by the user should be overlayed over the user-specific background.  For example, Orkut could let the user select a memorable character out a random selection (i.e. Yamaguchi-like characters) and map it to the user using one of several (possibly patented) techniques.

This is how it would look after user typed the password.

Anyhow, if you need help with phishmarking or phishing in general, let me know (click on my picture).  Despite all the entreprenural activities, I am also a consultant in rather embarrasingly wide range of technologies, security and UI among them.

[Find related posts].

Update:

Please read the post about PassMark patent that could affect phishmarks.